Passwords, Complexity, and Responsibility

Everyone in IT knows basic password security and we’ve all seen this comic over on xkcd. Hell, most have probably showed it to a user to give them an understanding of how to protect their digital personas. With the recent outbreak of attacks getting publicity, you would think people would be getting smarter and more serious about securing client data… or at least trying a teensie bit.

Relevant xkcd is relevant

One of the places we all feel it the most is in online banking and investments, most of them with crazy security pictures and obscure questions. Personally, I think these tend to make things less secure since a user is going to write down a password or phrase forced on them that they absolutely know won’t be remembered. So when you see an institution like The Vanguard Group, a firm tasked with the care of trillions of dollars, posting a page like this one educating their users on pass phrases and shorthand it looks like they’re making an effort in some way. You would think…

It was brought to my attention by a coworker that has accounts with Vanguard that he was able to get into his account after he thought he mistyped his password. So he tried again, purposely mistyping it. Got in. After a little testing he came to realize that his 15-20 character password was pointless since Vanguard stops checking after 10. They don’t decline access, they simply stop checking after the 10th character. First of all, why would you limit a password to 10 characters, especially at a bank? Second, why wouldn’t you put some sort of check in place that warns the user they’ve exceeded the length? If you’re someone who uses a common passphrase followed by a unique string on a per site basis you’re pretty much screwed here. But it gets better.

Out of curiosity, he played a bit to see how vulnerable his accounts were. He does have mixed case, digits, and specials in his password but limited to 10 characters it gets substantially less secure than he’s comfortable with. But wait, the password isn’t case sensitive… That’s right, no case sensitivity brings possible passwords from 6.05×10^19 down to 2.48×10^18. That seems like pretty big numbers but if someone were to get ahold of the hashed passwords and run a brute force attack against it in a massive cracking array scenario, you’re looking at 1 week vs 6.89 hours to search the entire password space. That’s assuming the hash and salt (if there is one) aren’t stored in the same database. If they were to increase that limit to 15 characters, you’re looking at a massive difference even without case sensitivity, 3.88×10^27 possible passwords and 12.34 thousand centuries to brute force. Add case sensitivity and it climbs to 4.68×10^29 possibilities and 1.49 million centuries. I could go on all day with scenarios…

How likely is an attack? I’m not sure, but I’d imagine with password security like that, getting ahold of the database isn’t out of the realm of possibility. You’re talking about a bank that manages $2,000,000,000,000, not exactly a relatively low impact target like LinkedIn or Evernote.

Thoughts: It’s time for companies to step up and start enforcing real password policies. When you enforce short passwords, no mixed case, no specials, etc. you are reducing the amount of time it will take to completely compromise accounts when someone runs an attack against your infrastructure or gets ahold of your user tables. On top of that, by limiting what your users can input you are taking responsibility from them and bearing the weight. If an account is broken into and you’ve required the user have a ridiculously non-secure password, are they responsible or are you? If there was financial loss, who is responsible? In the worst case, what would a jury say?

*While Vanguard definitely isn’t the only company guilty of this, they are the ones who prompted this post. I think each and every company should be called out publicly.

**Password calculations done at Gibson Research.

Leave a Reply

Your email address will not be published. Required fields are marked *